Security Release: Symfony 2.0.6

Symfony 2.0.6 has just been released. It addresses a security vulnerability in
the EntityUserProvider as provided in the Doctrine bridge.

If you let your users update their login/username from a form, and if you are
using Doctrine as a user provider, then you are vulnerable and you should
upgrade as soon as possible.

The issue is that it is possible for a user to switch to another one. Here is
how to reproduce it: The current user changes its username via a form to
another existing username. When the form is submitted, he will have a
validation error (as the username already exists) but the user object in the
session will still be modified to the new username. This user from the session
will be used for the next requests and so the user will be switched to this
other user.

The fix is to always refresh the user via the primary key (which cannot be
updated via a form) instead of the username.

If you cannot upgrade immediately, please apply the following
patch:
https://github.com/symfony/symfony/commit/9d2ab9ca9c1762

The CHANGELOG
has all the details about all the other changes and you can have a look at the
full diff.

If you are starting a new project, you can get the Symfony Standard Edition
distribution on the download page.

If you already have a project based on the Symfony Standard Edition 2.0.x, you
can easily upgrade to 2.0.6 by getting the new
deps and
deps.lock
files.

Then, run the vendors script:

$ ./bin/vendors install

And don't forget to clear your cache:

$ php ./app/console cache:clear

Remember that the Symfony2 Components are also available as standalone
libraries. You can get them via their dedicated read-only repositories on
Github (https://github.com/symfony/Finder for instance), install them via
PEAR (pear install symfony2/Finder), or even
install them via Composer.

As we've stated in the past, please report security-related issues to security
[at] symfony-project [dot] com rather than posting them directly to Github.
This will give the core team the opportunity to review and address the issue
before word gets out.

If you have found a security issue in Symfony, please send the
details to security [at] symfony.com and don't
disclose it publicly until we can provide a fix for it.

Comments

Small hint: you can get patches (or diffs) from github directly by simply appending ".patch" (or ".diff") to the url. So, to get a patch file for the security related commit: https://github.com/symfony/symfony/commit/9d2ab9ca9c1762.patch

I have problem with refreshing the logged user via security context by username. It seems like the $entity in method getIdentifierValues of Doctrine/Orm/Mapping/ClassMetaData.php should have 'id' value (from Token ?) or maybe should be more elements in $this->identifier ?, also the $this->isIdentifierComposite is false.